appdb security

Chris Morgan cmorgan at alum.wpi.edu
Thu Jun 8 15:40:55 CDT 2006


Alright.  I'm sold on having to check all user input.  We should make this 
input checking change across the board if you are up for it.

$clean = array(); //array of filtered user input
+
+$clean['catId'] = makeSafe( $_REQUEST['catId'] );
 
 function admin_menu()
 {
-    if(isset($_REQUEST['catId'])) $catId=$_REQUEST['catId'];
-    else $catId="";
+    $clean['catId'] = makeSafe( $_REQUEST['catId'] );
+    if ( empty($clean['catId']) )
+    {
+        $clean['catId']="";
+    }


Is there a reason why we don't do the if(empty()) check inside of makeSafe()?

Chris


On Thursday 08 June 2006 1:40 pm, EA Durbin wrote:
> I always use the method of filtering user input as described at the php
> security consortium. It makes it easier to track tainted user input vs
> filtered input. If all filtered variables are put in an array it makes it
> easier to ensure you're using the non tainted variable.
>
> http://phpsec.org/projects/guide/1.html#1.4
>
> Then PEAR::DB to query the mysql database as PEAR::DB handles the SQL
> filtering.
>
> >From: Jonathan Ernst <jonathan at ernstfamily.ch>
> >To: wine-devel at winehq.com
> >Subject: Re: appdb security
> >Date: Thu, 08 Jun 2006 18:12:20 +0200
> >
> >Le jeudi 08 juin 2006 أ  11:42 -0400, Chris Morgan a أ�crit :
> > > Can you come up with a non-destructive working example for the appdb
> > > website(appdb.winehq.org)? ;-)
> > >
> > > I ask because I thought we went through this some time ago but I agree
> >
> >that
> >
> > > what you say looks like an open issue.
> > >
> > > Chris
> >
> >Lately I used the following snippet in all my webapps to secure them
> >against sql injection :
> >
> >http://php.net/mysql_real_escape_string under "Best practice".
> >
> ><?php
> >function smart_quote($value)
> >{
> >    // Stripslashes
> >    if (get_magic_quotes_gpc()) {
> >      $value = stripslashes($value);
> >    }
> >    // Protect it if it's not an integer
> >    if (!is_numeric($value)) {
> >      $value = "'" . mysql_real_escape_string($value) . "'";
> >    }
> >    return $value;
> >}
> >
> >// Secure query
> >$sQuery = sprintf("SELECT *
> >                    FROM users
> >                    WHERE user=%s AND password=%s",
> >                    smart_quote($_POST['username']),
> >                    smart_quote($_POST['password']));
> >mysql_query($query);
> >?>
> >
> >I think it is better than what we have now in AppDB (didn't check it
> >though). If nobody looks at it, I'll check the code after my master
> >thesis (in one month).
> >
> >Jonathan
> >
> >
> ><< signature.asc >>



More information about the wine-devel mailing list